Malicious code in f0-data-constructor (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 9133720bff10d051149c2acb0dcab98768e9badae42fe211352aa258afd49c28 The OpenSSF Package Analysis project identified 'f0-data-constructor' @ 1.0.0 npm as malicious. It is considered malicious because: - The packag...

SnakeYaml: Constructor Deserialization Remote Code Execution

A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution RCE...

ALPINE-CVE-2023-32006

The use of module.constructor.createRequire can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note th...

CVE-2023-32006

The use of module.constructor.createRequire can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note th...

CVE-2023-32006

The use of module.constructor.createRequire can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note th...

CVE-2023-32006

The use of module.constructor.createRequire can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note th...

Missing validation for the _l1TimelockMinDelay parameter in the constructor to ensure it's within a reasonable or expected range.

Lines of code Vulnerability details Impact The constructor accepts a parameter l1TimelockMinDelay and assigns it to l1TimelockMinDelay without performing any validation checks. This means potentially erroneous or extreme values can be set, which could cause undesired behaviors in the system or op...

RemoteOwner circular dependency at deployment time

Lines of code Vulnerability details Impact The RemoteOwner.sol contract has a security measure that ensures the sender from the remote/origin chain was the origin chain owner i.e. a RngAuctionRelayerRemoteOwner.sol deployment, and this address is set at deployment time in the constructor. The...

Add access control to inti constructor like function

Lines of code Vulnerability details Impact Not adding access control to init function would allow for frontrunning and injection of malicious code Proof of Concept event MinDebtRateUpdateduint256 oldVal, uint256 newVal; /// @notice event emitted when the maximum debt rate is updated event...

PowerJob Command Execution Vulnerability

PowerJob is an open source distributed computing and job scheduling framework that allows developers to easily schedule tasks in their applications. A command execution vulnerability exists in PowerJob version 4.3.3, which stems from the parameter instanceId of /instance/detail failing to properl...

SUSE CVE-2023-39018

FFmpeg 0.7.0 and below was discovered to contain a code injection vulnerability in the component net.bramp.ffmpeg.FFmpeg.. This vulnerability is exploited via passing an unchecked argument. NOTE: this is disputed by multiple third parties because there are no realistic use cases in which...

The FollowNFT.initialize() function will never be executed

Lines of code Vulnerability details Impact This function Initializes the follow NFT. To check if a function has already been initialized use: if initialized revert Errors.Initialized; This condition will always end with revert Errors.Initialized, because in the constructor, when expanding the...

Function initialize Not Work

Lines of code Vulnerability details Impact As mentioned in the comment of the function initialize, "This is called right after deployment by the LensHub, so we can skip the onlyHub check". However, when the contract FollowNFT is deployed, the state variable initialized is set to true in the...

GHSA-2JX3-FX5F-R2C6 FFmpeg discovered to contain a code injection vulnerability in the component net.bramp.ffmpeg.FFmpeg.<constructor>

Withdrawn This advisory has been withdrawn because it has been found to be disputed. Please see the issue here for more information. Original Despcription FFmpeg 0.7.0 and below was discovered to contain a code injection vulnerability in the component net.bramp.ffmpeg.FFmpeg.. This vulnerability ...

CVE-2023-39018

FFmpeg 0.7.0 and below was discovered to contain a code injection vulnerability in the component net.bramp.ffmpeg.FFmpeg.. This vulnerability is exploited via passing an unchecked argument. NOTE: this is disputed by multiple third parties because there are no realistic use cases in which...

Code injection

FFmpeg 0.7.0 and below was discovered to contain a code injection vulnerability in the component net.bramp.ffmpeg.FFmpeg.. This vulnerability is exploited via passing an unchecked argument. NOTE: this is disputed by multiple third parties because there are no realistic use cases in which...

NFTBoostVault is not a proper implementation/logic contract in upgradeability system

Lines of code Vulnerability details Impact As per the natspec comments in the NFTBoostVault contract, the NFTBoostVault contract "is Simple Proxy upgradeable which is the upgradeability system used for voting vaults in Council". This implies that this contract will be used as the...

CVE-2023-39018

FFmpeg 0.7.0 and below was discovered to contain a code injection vulnerability in the component net.bramp.ffmpeg.FFmpeg.. This vulnerability is exploited via passing an unchecked argument. NOTE: this is disputed by multiple third parties because there are no realistic use cases in which...

Incorrect distribution of shares and liquidity as a result of total number of shares not equaling 100

Lines of code Vulnerability details Impact If the shares are not properly validated and do not add up to 100, there will be an imbalance in the distribution of funds resulting in loss of funds or locked funds that cannot be accessed or distributed correctly. Proof of Concept The constructor of th...

TOTOLINK A3300R 操作系统命令注入漏洞

TOTOLINK A3300R is a dual-band wireless router manufactured by China's Gion Electronics TOTOLINK, mainly used for home and small network environments. A code execution vulnerability exists in the TOTOLINK A3300R. The vulnerability stems from the lang parameter of the setLanguageCfg method failing...